Icarus breached one company, Klue, and walked away with access to at least seven customer Salesforce environments. The entry point: a long-dormant integration credential that nobody revoked.
Klue CEO Jason Smith confirmed the attack began June 11, when the attacker used a dead legacy credential to push malicious code into Klue’s infrastructure, harvesting OAuth tokens connected to platforms including Salesforce, HubSpot, SharePoint, Slack, and Zoom. Those tokens gave Icarus authenticated access to downstream CRM environments with no password required.
Confirmed victims include Recorded Future, Huntress, Tanium, Jamf, Sprout Social, Gong, and Insurity. Huntress confirmed that stolen material included business contacts, sales communications, pricing structures, and opportunity notes: exactly the type of CRM data worth extorting.
ReliaQuest documented large-scale data theft using Python scripts over extended periods. Icarus publicly claimed the attack on its dark-web leak site this week and is demanding victims contact them via Session messenger or face a public data release. Klue has engaged CrowdStrike and notified law enforcement.
This mirrors OAuth-abuse campaigns attributed to ShinyHunters in 2025 and 2026, but the supply-chain twist compounds the damage: one integration vendor, one stale credential, seven blast radii. Icarus didn’t need a sophisticated attack. It needed one vendor with a bad housekeeping problem and customer data that wasn’t theirs to lose.
Salesforce has disabled the Klue Battlecards integration. The extortion clock is running.
Diana Kowalski